Cyber Liability An Emerging Risk for Directors & Officers
Directors and officers are vulnerable to a number of exposures from securities and business litigation, which includes breach of fiduciary duty, derivative shareholder action & securities fraud, and class action suits. And although there has been a downturn in the number of suits filed for the first quarter of 2013 for three out of four of these exposures (all but class action suits), increasingly directors and officers face legal action stemming from cyber liability risks.
What may have started out for many companies as a nuisance, cyber risk has become a prevalent issue across all industry sectors, affecting public entities, educational institutions, large corporations and mid- to small-size businesses. The frequency and sophistication of cyber crimes and attacks is growing, with organizations looking to implement stronger security measures to protect their data, their clients’ information, intellectual property, etc.
Moreover, cyber risks come from a variety of sources, including a disgruntled employee, loss or theft of equipment (such as laptop), criminals looking to leverage personal data (like credit cards, banking information) for monetary gain, nation states looking to steal patents and intellectual property and so on.
These cyber attacks can result in significant costs for businesses, including legal defense costs and possible indemnification as result of class-action suits, breach notification expenses and reputational damages. In addition, if a business is shut down due to a cyber attack, the loss of revenue can be catastrophic.
It’s imperative, therefore, that directors and officers understand the threats and potential impact a cyber attack may have on their organization. In addition, in public corporations, directors and officers may find themselves increasingly being held accountable by both shareholder and regulators as a result of a loss linked to a cyber attack. For example, a corporation that experiences a data breach may become the target of a securities class action if disclosure of the breach can be tied to a statistically drop in the company’s stock price. Shareholders could purse litigation alleging, for instance, that a director breached his or her fiduciary duties to the organization because he/she failed to ensure proper security measures to prevent the cyber attack.
Directors and officers not only need to ensure adequate risk management policies and protocols throughout their organization along with strong security measures, but they also need to have a full understanding of the regulations in place. For example, the SEC in October 2011 expanded its disclosure requirements by including cybersecurity risks. Public companies must disclose in their security filings data breach exposures or attacks or other cyber incidents that occurred. And, the FTC “Red Flag Rule” requires many companies to adopt an Identity Theft protection program that identifies warning signals of identity theft. These companies include financial institutions and creditors that hold consumer accounts designed to permit multiple payments or transactions. The rule requires the program to be approved by the board of directors or a committee designated by the board.
Cyber is an important risk for all companies and should be addressed when looking at a firm’s or organization’s insurance and risk management program. Caitlin-Morgan provides a complete portfolio of insurance products for your insureds, including Directors & Officers Liability insurance. Give us a call at 877.226.1027 to discuss your client’s specific insurance needs.
Sources: Advisen, Federal Trade Commission